<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.16: http://docutils.sourceforge.net/" />
<title>openvpn examples</title>
<style type="text/css">

/*
:Author: David Goodger (goodger@python.org)
:Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $
:Copyright: This stylesheet has been placed in the public domain.

Default cascading style sheet for the HTML output of Docutils.

See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
customize this style sheet.
*/

/* used to remove borders from tables and images */
.borderless, table.borderless td, table.borderless th {
  border: 0 }

table.borderless td, table.borderless th {
  /* Override padding for "table.docutils td" with "! important".
     The right padding separates the table cells. */
  padding: 0 0.5em 0 0 ! important }

.first {
  /* Override more specific margin styles with "! important". */
  margin-top: 0 ! important }

.last, .with-subtitle {
  margin-bottom: 0 ! important }

.hidden {
  display: none }

.subscript {
  vertical-align: sub;
  font-size: smaller }

.superscript {
  vertical-align: super;
  font-size: smaller }

a.toc-backref {
  text-decoration: none ;
  color: black }

blockquote.epigraph {
  margin: 2em 5em ; }

dl.docutils dd {
  margin-bottom: 0.5em }

object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
  overflow: hidden;
}

/* Uncomment (and remove this text!) to get bold-faced definition list terms
dl.docutils dt {
  font-weight: bold }
*/

div.abstract {
  margin: 2em 5em }

div.abstract p.topic-title {
  font-weight: bold ;
  text-align: center }

div.admonition, div.attention, div.caution, div.danger, div.error,
div.hint, div.important, div.note, div.tip, div.warning {
  margin: 2em ;
  border: medium outset ;
  padding: 1em }

div.admonition p.admonition-title, div.hint p.admonition-title,
div.important p.admonition-title, div.note p.admonition-title,
div.tip p.admonition-title {
  font-weight: bold ;
  font-family: sans-serif }

div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title, .code .error {
  color: red ;
  font-weight: bold ;
  font-family: sans-serif }

/* Uncomment (and remove this text!) to get reduced vertical space in
   compound paragraphs.
div.compound .compound-first, div.compound .compound-middle {
  margin-bottom: 0.5em }

div.compound .compound-last, div.compound .compound-middle {
  margin-top: 0.5em }
*/

div.dedication {
  margin: 2em 5em ;
  text-align: center ;
  font-style: italic }

div.dedication p.topic-title {
  font-weight: bold ;
  font-style: normal }

div.figure {
  margin-left: 2em ;
  margin-right: 2em }

div.footer, div.header {
  clear: both;
  font-size: smaller }

div.line-block {
  display: block ;
  margin-top: 1em ;
  margin-bottom: 1em }

div.line-block div.line-block {
  margin-top: 0 ;
  margin-bottom: 0 ;
  margin-left: 1.5em }

div.sidebar {
  margin: 0 0 0.5em 1em ;
  border: medium outset ;
  padding: 1em ;
  background-color: #ffffee ;
  width: 40% ;
  float: right ;
  clear: right }

div.sidebar p.rubric {
  font-family: sans-serif ;
  font-size: medium }

div.system-messages {
  margin: 5em }

div.system-messages h1 {
  color: red }

div.system-message {
  border: medium outset ;
  padding: 1em }

div.system-message p.system-message-title {
  color: red ;
  font-weight: bold }

div.topic {
  margin: 2em }

h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
  margin-top: 0.4em }

h1.title {
  text-align: center }

h2.subtitle {
  text-align: center }

hr.docutils {
  width: 75% }

img.align-left, .figure.align-left, object.align-left, table.align-left {
  clear: left ;
  float: left ;
  margin-right: 1em }

img.align-right, .figure.align-right, object.align-right, table.align-right {
  clear: right ;
  float: right ;
  margin-left: 1em }

img.align-center, .figure.align-center, object.align-center {
  display: block;
  margin-left: auto;
  margin-right: auto;
}

table.align-center {
  margin-left: auto;
  margin-right: auto;
}

.align-left {
  text-align: left }

.align-center {
  clear: both ;
  text-align: center }

.align-right {
  text-align: right }

/* reset inner alignment in figures */
div.align-right {
  text-align: inherit }

/* div.align-center * { */
/*   text-align: left } */

.align-top    {
  vertical-align: top }

.align-middle {
  vertical-align: middle }

.align-bottom {
  vertical-align: bottom }

ol.simple, ul.simple {
  margin-bottom: 1em }

ol.arabic {
  list-style: decimal }

ol.loweralpha {
  list-style: lower-alpha }

ol.upperalpha {
  list-style: upper-alpha }

ol.lowerroman {
  list-style: lower-roman }

ol.upperroman {
  list-style: upper-roman }

p.attribution {
  text-align: right ;
  margin-left: 50% }

p.caption {
  font-style: italic }

p.credits {
  font-style: italic ;
  font-size: smaller }

p.label {
  white-space: nowrap }

p.rubric {
  font-weight: bold ;
  font-size: larger ;
  color: maroon ;
  text-align: center }

p.sidebar-title {
  font-family: sans-serif ;
  font-weight: bold ;
  font-size: larger }

p.sidebar-subtitle {
  font-family: sans-serif ;
  font-weight: bold }

p.topic-title {
  font-weight: bold }

pre.address {
  margin-bottom: 0 ;
  margin-top: 0 ;
  font: inherit }

pre.literal-block, pre.doctest-block, pre.math, pre.code {
  margin-left: 2em ;
  margin-right: 2em }

pre.code .ln { color: grey; } /* line numbers */
pre.code, code { background-color: #eeeeee }
pre.code .comment, code .comment { color: #5C6576 }
pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
pre.code .literal.string, code .literal.string { color: #0C5404 }
pre.code .name.builtin, code .name.builtin { color: #352B84 }
pre.code .deleted, code .deleted { background-color: #DEB0A1}
pre.code .inserted, code .inserted { background-color: #A3D289}

span.classifier {
  font-family: sans-serif ;
  font-style: oblique }

span.classifier-delimiter {
  font-family: sans-serif ;
  font-weight: bold }

span.interpreted {
  font-family: sans-serif }

span.option {
  white-space: nowrap }

span.pre {
  white-space: pre }

span.problematic {
  color: red }

span.section-subtitle {
  /* font-size relative to parent (h1..h6 element) */
  font-size: 80% }

table.citation {
  border-left: solid 1px gray;
  margin-left: 1px }

table.docinfo {
  margin: 2em 4em }

table.docutils {
  margin-top: 0.5em ;
  margin-bottom: 0.5em }

table.footnote {
  border-left: solid 1px black;
  margin-left: 1px }

table.docutils td, table.docutils th,
table.docinfo td, table.docinfo th {
  padding-left: 0.5em ;
  padding-right: 0.5em ;
  vertical-align: top }

table.docutils th.field-name, table.docinfo th.docinfo-name {
  font-weight: bold ;
  text-align: left ;
  white-space: nowrap ;
  padding-left: 0 }

/* "booktabs" style (no vertical lines) */
table.docutils.booktabs {
  border: 0px;
  border-top: 2px solid;
  border-bottom: 2px solid;
  border-collapse: collapse;
}
table.docutils.booktabs * {
  border: 0px;
}
table.docutils.booktabs th {
  border-bottom: thin solid;
  text-align: left;
}

h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
  font-size: 100% }

ul.auto-toc {
  list-style-type: none }

</style>
</head>
<body>
<div class="document" id="openvpn-examples">
<h1 class="title">openvpn examples</h1>
<h2 class="subtitle" id="secure-ip-tunnel-daemon">Secure IP tunnel daemon</h2>
<table class="docinfo" frame="void" rules="none">
<col class="docinfo-name" />
<col class="docinfo-content" />
<tbody valign="top">
<tr class="manual-section field"><th class="docinfo-name">Manual section:</th><td class="field-body">5</td>
</tr>
<tr class="manual-group field"><th class="docinfo-name">Manual group:</th><td class="field-body">Configuration files</td>
</tr>
</tbody>
</table>
<div class="section" id="introduction">
<h1>INTRODUCTION</h1>
<p>This man page gives a few simple examples to create OpenVPN setups and configuration files.</p>
</div>
<div class="section" id="small-openvpn-setup-with-peer-fingerprint">
<h1>Small OpenVPN setup with peer-fingerprint</h1>
<p>This section consists of instructions how to build a small OpenVPN setup with the
<code>peer-fingerprint</code> option. This has the advantage of being easy to setup
and should be suitable for most small lab and home setups without the need for a PKI.
For bigger scale setup setting up a PKI (e.g. via easy-rsa) is still recommended.</p>
<p>Both server and client configuration can be further modified to customise the
setup.</p>
<div class="section" id="server-setup">
<h2>Server setup</h2>
<ol class="arabic">
<li><p class="first">Install openvpn</p>
<p>Compile from source-code (see <cite>INSTALL</cite> file) or install via a distribution (apt/yum/ports)
or via installer (Windows).</p>
</li>
<li><p class="first">Generate a self-signed certificate for the server:</p>
<pre class="literal-block">
openssl req -x509 -newkey ec:&lt;(openssl ecparam -name secp384r1) -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server'
</pre>
</li>
<li><p class="first">Generate SHA256 fingerprint of the server certificate</p>
<p>Use the OpenSSL command line utility to view the fingerprint of just
created certificate:</p>
<pre class="literal-block">
openssl x509 -fingerprint -sha256 -in server.crt -noout
</pre>
<p>This output something similar to:</p>
<pre class="literal-block">
SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
</pre>
</li>
<li><p class="first">Write a server configuration (<cite>server.conf</cite>):</p>
<pre class="literal-block">
# The server certificate we created in step 1
cert server.crt
key server.key

dh none
dev tun

# Listen on IPv6+IPv4 simultaneously
proto udp6

# The ip address the server will distribute
server 10.8.0.0 255.255.255.0
server-ipv6 fd00:6f76:706e::/64

# A tun-mtu of 1400 avoids problems of too big packets after VPN encapsulation
tun-mtu 1400

# The fingerprints of your clients. After adding/removing one here restart the
# server
&lt;peer-fingerprint&gt;
&lt;/peer-fingerprint&gt;

# Notify clients when you restart the server to reconnect quickly
explicit-exit-notify 1

# Ping every 60s, restart if no data received for 5 minutes
keepalive 60 300
</pre>
</li>
<li><p class="first">Add at least one client as described in the client section.</p>
</li>
<li><dl class="first docutils">
<dt>Start the server.</dt>
<dd><ul class="first last">
<li><p class="first">On systemd based distributions move <cite>server.crt</cite>, <cite>server.key</cite> and
<cite>server.conf</cite> to <code>/etc/openvpn/server</code> and start it via systemctl</p>
<pre class="literal-block">
sudo mv server.conf server.key server.crt /etc/openvpn/server

sudo systemctl start openvpn-server&#64;server
</pre>
</li>
</ul>
</dd>
</dl>
</li>
</ol>
</div>
<div class="section" id="adding-a-client">
<h2>Adding a client</h2>
<ol class="arabic">
<li><p class="first">Install OpenVPN</p>
</li>
<li><p class="first">Generate a self-signed certificate for the client. In this example the client
name is alice. Each client should have a unique name. Replace alice with a
different name for each client.</p>
<pre class="literal-block">
openssl req -x509 -newkey ec:&lt;(openssl ecparam -name secp384r1) -nodes -sha256 -days 3650 -subj '/CN=alice'
</pre>
<p>This generate a certificate and a key for the client. The output of the command will look
something like this:</p>
<pre class="literal-block">
-----BEGIN PRIVATE KEY-----
[base64 content]
-----END PRIVATE KEY-----
-----
-----BEGIN CERTIFICATE-----
[base 64 content]
-----END CERTIFICATE-----
</pre>
</li>
<li><p class="first">Create a new client configuration file. In this example we will name the file
<cite>alice.ovpn</cite>:</p>
<pre class="literal-block">
# The name of your server to connect to
remote yourserver.example.net
client
# use a random source port instead the fixed 1194
nobind

# Uncomment the following line if you want to route
# all traffic via the VPN
# redirect-gateway def1 ipv6

# To set a DNS server
# dhcp-option DNS 192.168.234.1

&lt;key&gt;
-----BEGIN PRIVATE KEY-----
[Insert here the key created in step 2]
-----END PRIVATE KEY-----
&lt;/key&gt;
&lt;cert&gt;
-----BEGIN CERTIFICATE-----
[Insert here the certificate created in step 2]
-----END CERTIFICATE-----
&lt;/cert&gt;

# This is the fingerprint of the server that we trust. We generated this fingerprint
# in step 2 of the server setup
peer-fingerprint 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff

# The tun-mtu of the client should match the server MTU
tun-mtu 1400
dev tun
</pre>
</li>
<li><p class="first">Generate the fingerprint of the client certificate. For that we will
let OpenSSL read the client configuration file as the x509 command will
ignore anything that is not between the begin and end markers of the certificate:</p>
<pre class="literal-block">
openssl x509 -fingerprint -sha256 -noout -in alice.ovpn
</pre>
<p>This will again output something like</p>
<pre class="literal-block">
SHA256 Fingerprint=ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00
</pre>
</li>
<li><p class="first">Edit the <cite>server.conf</cite> configuration file and add this new client
fingerprint as additional line  between <code>&lt;peer-fingerprint&gt;</code>
and <code>&lt;/peer-fingerprint&gt;</code></p>
<p>After adding <em>two</em> clients the part of configuration would look like this:</p>
<pre class="literal-block">
&lt;peer-fingerprint&gt;
ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00
99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33
&lt;/peer-fingperint&gt;
</pre>
</li>
<li><p class="first">(optional) if the client is an older client that does not support the
<code>peer-fingerprint</code> (e.g. OpenVPN 2.5 and older, OpenVPN Connect 3.3
and older), the client config <cite>alice.ovpn</cite> can be modified to still work with
these clients.</p>
<p>Remove the line starting with <code>peer-fingerprint</code>. Then
add a new <code>&lt;ca&gt;</code> section at the end of the configuration file
with the contents of the <code>server.crt</code> created in step 2 of the
server setup. The end of <cite>alice.ovpn</cite> file should like:</p>
<pre class="literal-block">
[...]  # Beginning of the file skipped
&lt;/cert&gt;

# The tun-mtu of the client should match the server MTU
tun-mtu 1400
dev tun

&lt;ca&gt;
[contents of the server.crt]
&lt;/ca&gt;
</pre>
<p>Note that we put the <code>&lt;ca&gt;</code> section after the <code>&lt;cert&gt;</code> section
to make the fingerprint generation from step 4 still work since it will
only use the first certificate it finds.</p>
</li>
<li><p class="first">Import the file into the OpenVPN client or just use the
<code>openvpn alice.ovpn</code> to start the VPN.</p>
</li>
</ol>
</div>
</div>
<div class="section" id="examples">
<h1>EXAMPLES</h1>
<p>Prior to running these examples, you should have OpenVPN installed on
two machines with network connectivity between them. If you have not yet
installed OpenVPN, consult the INSTALL file included in the OpenVPN
distribution.</p>
<div class="section" id="firewall-setup">
<h2>Firewall Setup:</h2>
<p>If firewalls exist between the two machines, they should be set to
forward the port OpenVPN is configured to use, in both directions.
The default for OpenVPN is 1194/udp.  If you do not have control
over the firewalls between the two machines, you may still be able to
use OpenVPN by adding <tt class="docutils literal"><span class="pre">--ping</span> 15</tt> to each of the <tt class="docutils literal">openvpn</tt> commands
used below in the examples (this will cause each peer to send out a UDP
ping to its remote peer once every 15 seconds which will cause many
stateful firewalls to forward packets in both directions without an
explicit firewall rule).</p>
<p>Please see your operating system guides for how to configure the firewall
on your systems.</p>
</div>
<div class="section" id="vpn-address-setup">
<h2>VPN Address Setup:</h2>
<p>For purposes of our example, our two machines will be called
<tt class="docutils literal">bob.example.com</tt> and <tt class="docutils literal">alice.example.com</tt>. If you are constructing a
VPN over the internet, then replace <tt class="docutils literal">bob.example.com</tt> and
<tt class="docutils literal">alice.example.com</tt> with the internet hostname or IP address that each
machine will use to contact the other over the internet.</p>
<p>Now we will choose the tunnel endpoints. Tunnel endpoints are private IP
addresses that only have meaning in the context of the VPN. Each machine
will use the tunnel endpoint of the other machine to access it over the
VPN. In our example, the tunnel endpoint for bob.example.com will be
10.4.0.1 and for alice.example.com, 10.4.0.2.</p>
<p>Once the VPN is established, you have essentially created a secure
alternate path between the two hosts which is addressed by using the
tunnel endpoints. You can control which network traffic passes between
the hosts (a) over the VPN or (b) independently of the VPN, by choosing
whether to use (a) the VPN endpoint address or (b) the public internet
address, to access the remote host. For example if you are on
bob.example.com and you wish to connect to <tt class="docutils literal">alice.example.com</tt> via
<tt class="docutils literal">ssh</tt> without using the VPN (since <strong>ssh</strong> has its own built-in security)
you would use the command <tt class="docutils literal">ssh alice.example.com</tt>. However in the same
scenario, you could also use the command <tt class="docutils literal">telnet 10.4.0.2</tt> to create a
telnet session with alice.example.com over the VPN, that would use the
VPN to secure the session rather than <tt class="docutils literal">ssh</tt>.</p>
<p>You can use any address you wish for the tunnel endpoints but make sure
that they are private addresses (such as those that begin with 10 or
192.168) and that they are not part of any existing subnet on the
networks of either peer, unless you are bridging. If you use an address
that is part of your local subnet for either of the tunnel endpoints,
you will get a weird feedback loop.</p>
</div>
<div class="section" id="example-1-a-simple-tunnel-without-security-not-recommended">
<h2>Example 1: A simple tunnel without security (not recommended)</h2>
<p>On bob:</p>
<pre class="literal-block">
openvpn --remote alice.example.com --dev tun1 \
         --ifconfig 10.4.0.1 10.4.0.2 --verb 9
</pre>
<p>On alice:</p>
<pre class="literal-block">
openvpn --remote bob.example.com --dev tun1 \
         --ifconfig 10.4.0.2 10.4.0.1 --verb 9
</pre>
<p>Now verify the tunnel is working by pinging across the tunnel.</p>
<p>On bob:</p>
<pre class="literal-block">
ping 10.4.0.2
</pre>
<p>On alice:</p>
<pre class="literal-block">
ping 10.4.0.1
</pre>
<p>The <tt class="docutils literal"><span class="pre">--verb</span> 9</tt> option will produce verbose output, similar to the
<tt class="docutils literal">tcpdump</tt>(8) program. Omit the <tt class="docutils literal"><span class="pre">--verb</span> 9</tt> option to have OpenVPN run
quietly.</p>
</div>
<div class="section" id="example-2-a-tunnel-with-self-signed-certificates-and-fingerprint">
<h2>Example 2: A tunnel with self-signed certificates and fingerprint</h2>
<p>First build a self-signed certificate on bob and display its fingerprint.</p>
<pre class="literal-block">
openssl req -x509 -newkey ec:&lt;(openssl ecparam -name secp384r1) -keyout bob.pem -out bob.pem -nodes -sha256 -days 3650 -subj '/CN=bob'
openssl x509 -noout -sha256 -fingerprint -in bob.pem
</pre>
<p>and the same on alice:</p>
<pre class="literal-block">
openssl req -x509 -newkey ec:&lt;(openssl ecparam -name secp384r1) -keyout alice.pem -out alice.pem -nodes -sha256 -days 3650 -subj '/CN=alice'
openssl x509 -noout -sha256 -fingerprint -in alice.pem
</pre>
<p>These commands will build a text file called <tt class="docutils literal">bob.pem</tt> or <tt class="docutils literal">alice.pem</tt> (in ascii format)
that contain both self-signed certificate and key and show the fingerprint of the certificates.
Transfer the fingerprints  over a secure medium such as by using
the <tt class="docutils literal">scp</tt>(1) or <tt class="docutils literal">ssh</tt>(1) program.</p>
<p>On bob:</p>
<pre class="literal-block">
openvpn --ifconfig 10.4.0.1 10.4.0.2 --tls-server --dev tun --dh none \
        --cert bob.pem --key bob.pem --cipher AES-256-GCM \
        --peer-fingerprint &quot;$fingerprint_of_alices_cert&quot;
</pre>
<p>On alice:</p>
<pre class="literal-block">
openvpn --remote bob.example.com --tls-client --dev tun1   \
        --ifconfig 10.4.0.2 10.4.0.1 --cipher AES-256-GCM  \
        --cert alice.pem --key alice.pem                   \
        --peer-fingerprint &quot;$fingerprint_of_bobs_cert&quot;
</pre>
<p>Now verify the tunnel is working by pinging across the tunnel.</p>
<p>On bob:</p>
<pre class="literal-block">
ping 10.4.0.2
</pre>
<p>On alice:</p>
<pre class="literal-block">
ping 10.4.0.1
</pre>
<p>Note: This example use a elliptic curve (<cite>secp384</cite>), which allows
<tt class="docutils literal"><span class="pre">--dh</span></tt> to be set to <tt class="docutils literal">none</tt>.</p>
</div>
<div class="section" id="example-3-a-tunnel-with-full-pki-and-tls-based-security">
<h2>Example 3: A tunnel with full PKI and TLS-based security</h2>
<p>For this test, we will designate <tt class="docutils literal">bob</tt> as the TLS client and <tt class="docutils literal">alice</tt>
as the TLS server.</p>
<dl class="docutils">
<dt><em>Note:</em></dt>
<dd>The client or server designation only has
meaning for the TLS subsystem. It has no bearing on OpenVPN's
peer-to-peer, UDP-based communication model.*</dd>
</dl>
<p>First, build a separate certificate/key pair for both bob and alice (see
above where <tt class="docutils literal"><span class="pre">--cert</span></tt> is discussed for more info). Then construct
Diffie Hellman parameters (see above where <tt class="docutils literal"><span class="pre">--dh</span></tt> is discussed for
more info). You can also use the included test files <code>client.crt</code>,
<code>client.key</code>, <code>server.crt</code>, <code>server.key</code> and
<code>ca.crt</code>. The <tt class="docutils literal">.crt</tt> files are certificates/public-keys, the
<tt class="docutils literal">.key</tt> files are private keys, and <code>ca.crt</code> is a certification
authority who has signed both <code>client.crt</code> and <code>server.crt</code>.
For Diffie Hellman parameters you can use the included file
<code>dh2048.pem</code>.</p>
<dl class="docutils">
<dt><em>WARNING:</em></dt>
<dd>All client, server, and certificate authority certificates
and keys included in the OpenVPN distribution are totally
insecure and should be used for testing only.</dd>
</dl>
<p>On bob:</p>
<pre class="literal-block">
openvpn --remote alice.example.com --dev tun1    \
        --ifconfig 10.4.0.1 10.4.0.2             \
        --tls-client --ca ca.crt                 \
        --cert client.crt --key client.key       \
        --reneg-sec 60 --verb 5
</pre>
<p>On alice:</p>
<pre class="literal-block">
openvpn --remote bob.example.com --dev tun1      \
        --ifconfig 10.4.0.2 10.4.0.1             \
        --tls-server --dh dh1024.pem --ca ca.crt \
        --cert server.crt --key server.key       \
        --reneg-sec 60 --verb 5
</pre>
<p>Now verify the tunnel is working by pinging across the tunnel.</p>
<p>On bob:</p>
<pre class="literal-block">
ping 10.4.0.2
</pre>
<p>On alice:</p>
<pre class="literal-block">
ping 10.4.0.1
</pre>
<p>Notice the <tt class="docutils literal"><span class="pre">--reneg-sec</span> 60</tt> option we used above. That tells OpenVPN
to renegotiate the data channel keys every minute. Since we used
<tt class="docutils literal"><span class="pre">--verb</span> 5</tt> above, you will see status information on each new key
negotiation.</p>
<p>For production operations, a key renegotiation interval of 60 seconds is
probably too frequent. Omit the <tt class="docutils literal"><span class="pre">--reneg-sec</span> 60</tt> option to use
OpenVPN's default key renegotiation interval of one hour.</p>
</div>
<div class="section" id="routing">
<h2>Routing:</h2>
<p>Assuming you can ping across the tunnel, the next step is to route a
real subnet over the secure tunnel. Suppose that bob and alice have two
network interfaces each, one connected to the internet, and the other to
a private network. Our goal is to securely connect both private
networks. We will assume that bob's private subnet is <em>10.0.0.0/24</em> and
alice's is <em>10.0.1.0/24</em>.</p>
<p>First, ensure that IP forwarding is enabled on both peers. On Linux,
enable routing:</p>
<pre class="literal-block">
echo 1 &gt; /proc/sys/net/ipv4/ip_forward
</pre>
<p>This setting is not persistent.  Please see your operating systems
documentation how to properly configure IP forwarding, which is also
persistent through system boots.</p>
<p>If your system is configured with a firewall.  Please see your operating
systems guide on how to configure the firewall.  You typically want to
allow traffic coming from and going to the tun/tap adapter OpenVPN is
configured to use.</p>
<p>On bob:</p>
<pre class="literal-block">
route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
</pre>
<p>On alice:</p>
<pre class="literal-block">
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
</pre>
<p>Now any machine on the <em>10.0.0.0/24</em> subnet can access any machine on the
<em>10.0.1.0/24</em> subnet over the secure tunnel (or vice versa).</p>
<p>In a production environment, you could put the route command(s) in a
script and execute with the <tt class="docutils literal"><span class="pre">--up</span></tt> option.</p>
</div>
</div>
</div>
</body>
</html>
